If you compare that text to the rules you made in fwbuilder, you'll recognize rules 0 and 1. Rule 10000 is that implicit deny rule.

If you ever wish to stop your firewall, use the disable switch:

# pfctl -d

To restart the firewall, specify the name of your ruleset. It will be in /etc and have the same name as your firewall. In my case, it is in /etc/my_firewall.conf. To start this firewall, I use pfctl at the command line with the enable switch:

# pfctl -e /etc/my_firewall.conf

Alternatively, I can right-click the firewall in the Objects tree and choose Install from the drop-down menu. (Note that this will fail for the current set of rules. It's easy to fix though.)

Note: if you added the line to /etc/rc.conf mentioned at the beginning of this article, add another line to load your ruleset if you reboot your computer:

pf_rules="/etc/my_firewall.conf"

where my_firewall.conf is the name of your ruleset. It is always a good idea to run pfctl -s rules after a reboot to double-check that your firewall is running.

Fine-Tuning the Rules

If you take a look at your first rule, it allows the firewall to go anywhere as a Source. However, nothing can connect to the firewall as a Destination. This includes the firewall making a connection to itself in order to install a policy, so if you were to add a rule you would get an error when you tried to install it. This is fine if you are happy with your firewall as is. Try it out--you should be able to surf, send/receive email, and do most of the things you normally do on the internet.

However, if you find you need to add more rules, you must start with a rule that allows the firewall to install a policy. Click on the number 0 in the first rule, go to the Rules menu, and select Insert Rule. Because the firewall needs to access the loopback management interface over ssh, it makes sense to have the rule look like this:

You haven't made a ssh object yet, so do so now. Click + next to Services to expand its tree. Right-click TCP and select New TCP Service. Under Name:, enter ssh. Under Destination Port Range Start, enter 22 and click the Apply Changes button. When finished, your firewall rules should resemble Figure 3.

Figure 3. Firewall rules that allow ssh (Click for full-size image)

Before you can install the new rule, you will have to temporarily stop the firewall--remember, it currently doesn't allow any connections to itself.

# pfctl -d

Install the rulebase as usual; it will restart the firewall for you. You should be able to see your new rule if you type:

Conclusion

Today, I've demonstrated how to make a personal firewall that protects your system while allowing you to access the internet. My next article will show you how to install a NAT policy with fwbuilder and explore some of its other features.

Dru Lavigne
is a network and systems administrator, IT instructor, author and international speaker. She has over a decade of experience administering and teaching Netware, Microsoft, Cisco, Checkpoint, SCO, Solaris, Linux, and BSD systems. A prolific author, she pens the popular FreeBSD Basics column for O'Reilly and is author of BSD Hacks and The Best of FreeBSD Basics.